So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark. The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it. This script saves a lot of time. It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)
[codesyntax lang=”bash”]
#!/bin/bash # By Ed Wiget # This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime # 20130205 - original script if [ $1 == "" ]; then echo "What is the remote host by fqdn, i.e. server1.domain.com" read RHOST else RHOST=$1 fi wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - ) # after you kill wireshark, the tcpdump still runs on remove host...we need to kill it PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'` echo "killing pid ${PIDOF} on ${RHOST}...please wait...." ssh root@${RHOST} "pkill tcpdump" # now we make sure it is killed PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'` if [ ${PIDOF2} == "" ]; then echo "pid check returns ${PIDOF2}" else echo "pid check returns ${PIDOF2}" fi
[/codesyntax]
Leave a Reply
You must be logged in to post a comment.